Tag Archives: Privacy

Swedish Internet Users Face New Wave of Piracy Cash Demands

Post Syndicated from Andy original https://torrentfreak.com/swedish-internet-users-face-new-wave-of-piracy-cash-demands-170225/

Last year, mass ‘copyright-trolling’ hit Sweden for the first time. An organization calling itself Spridningskollen (Distribution Check) claimed its new initiative would save the entertainment industries and educate the masses.

Predictably there was a huge backlash, both among the public and in the media, something which eventually led the group to discontinue its operations in the country. Now, however, a new wave of trolling is about to hit the country.

Swedish publication Breakit.se reports that a major new offensive is about to begin, with a Danish law firm Njord and movie company Zentropa at the helm.

The companies are targeting the subscribers of several ISPs, including Telia, Tele2 and Bredbandsbolaget, the provider that will shortly begin blocking The Pirate Bay. It’s not clear how many people will be targeted but Breakit says that many thousands of IP addresses cover 42 pages of court documents.

Bredbandsbolaget confirmed that a court order exists and it will be forced to hand over the personal details of its subscribers.

“The first time we received such a request, we appealed because we do not think that the privacy-related sacrifice is proportionate to the crimes that were allegedly committed. Unfortunately we lost and must now follow the court order,” a spokesperson said.

It appears the trolls are taking extreme measures to ensure that ISPs comply. Some Swedish ISPs have a policy of deleting IP address logs but earlier this week a court ordered Telia to preserve data or face a $22,000 fine.

Jeppe Brogaard Clausen of the Njord lawfirm says that after identifying the subscribers he wants to “enter into non-aggressive dialogue” with them. But while this might sound like a friendly approach, the ultimate aim will be to extract money. It’s also worth considering who is behind this operation.

The BitTorrent tracking in the case was carried out by MaverickEye, a German-based company that continually turns up in similar cases all over Europe and the United States. The company and its operator Patrick Achache are part of the notorious Guardaley trolling operation.

Also of interest is the involvement of UK-based Copyright Management Services Ltd, whose sole director is none other than Patrick Achache himself. The company is based at the same London address as fellow copyright trolling partner Hatton and Berkeley, which previously sent cash settlement demands to Internet users in the UK.

In addition to two Zentropa titles, the movies involved in the Swedish action are CELL, IT, London Has Fallen, Mechanic: Resurrection, Criminal and September of Shiraz. All have featured in previous Guardaley cases in the United States.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Anti-Piracy Measures Shouldn’t Stifle Free Speech, EFF Says

Post Syndicated from Ernesto original https://torrentfreak.com/anti-piracy-measures-shouldnt-stifle-free-speech-eff-says-170224/

Still undecided about the future of the DMCA law, the U.S. Government’s Copyright Office extended its public consultation to evaluate the effectiveness of the Safe Harbor provisions.

The study aims to signal problems with the current takedown procedures and addresses ISPs’ repeat infringer policies, copyright takedown abuses, and the ever-increasing volume of DMCA notices.

Together with various rightsholders and Internet services, the Electronic Frontier Foundation (EFF) also submitted its recommendations this week. The digital rights group believes that the current law works as it should, and warns against a copyright enforcement expansion.

The Internet provides a crucial role in facilitating freedom of expression, something that shouldn’t be limited by far-reaching anti-piracy measures, the organization argues.

“Internet intermediaries provide the backbone for Internet users’ expression and are key to the public’s ability to exercise these rights,” EFF writes in its submission.

“Accordingly, the public has a strong interest in ensuring that the Internet remains a viable and accessible platform for free expression and innovation, and in ensuring that online platforms don’t unduly remove, filter, or block speech from the Internet.”

One of the areas of interest for the Copyright Office is how to deal with repeat infringers. The DMCA law requires Internet providers to have a repeat infringer policy in place, but stakeholders have different views on what these should look like.

According to the EFF, however, terminating people’s Internet access is much more than a slap on the wrist, as it can severely impede people’s ability to function in today’s society.

“Conduit ISPs serve as the bridge between their subscribers and the entire Internet. Terminating a subscriber’s Internet access account imposes a far more significant penalty that merely cutting off access to a single Internet service.”

Nowadays, terminating an Internet account often means that the entire household will be affected. The EFF warns that as a result, many people will lose access to important information and tools, which are needed for school, jobs, and even government services.

“Indeed, as former President Obama stated, Internet access today is ‘not a luxury, it’s a necessity’,” the EFF adds.

Another question posted by the Copyright Office deals with the necessity for anti-piracy filters. Yesterday, the RIAA and other music groups spoke out in favor of automated filters but the EFF fiercely opposes the idea.

One of the problems the group signals is that filtering will require Internet services to monitor their users’ activity, causing privacy concerns. In addition these filters will also be imprecise, targeting content that’s considered fair use, for example.

Finally, automated filters will require Internet services to police the Internet, which can be quite costly and stifle free speech at the same time.

“…by shifting the burden and cost of enforcement away from copyright holders and onto service providers, these proposals would stifle competition for Internet services, exacerbate current problems with the notice and takedown system, and increase the risk that valuable, lawful speech will be silenced,” the EFF writes.

The same free speech argument also applies to site-blocking initiatives. According to the EFF, such blocking efforts also restrict access to legitimate material. At the same time, the measures are far from effective.

“Site-blocking often has broader impacts on lawful online speech than intended. When entire domains are blocked, every other page hosted by those domains are subject to the block, regardless of whether they contain infringing content.

“Site-blocking is also largely ineffective at stemming online copyright infringement. Many sites are able to relaunch at new URLs, and users are often able to circumvent blocks using VPNs and the Tor browser,” the group adds.

In summary, the EFF concludes that overall the current law works pretty well and the group warns the Copyright Office not to give in to the broad “filter-everything” push from major copyright industry groups.

The EFF’s full submission to the U.S. Copyright office is available here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Brave: A Privacy Focused Browser With Built-in Torrent Streaming

Post Syndicated from Ernesto original https://torrentfreak.com/brave-a-privacy-focused-browser-with-built-in-torrent-streaming-170219/

After a reign of roughly a decade, basic old-fashioned BitTorrent clients have lost most of their appeal today.

While they’re still one of the quickest tools to transfer data over the Internet, the software became somewhat outdated with the rise of video streaming sites and services.

But what if you can have the best of both worlds without having to install any separate applications?

This is where the Brave web browser comes in. First launched two months ago, the new browser is designed for privacy conscious people who want to browse the web securely without any unnecessary clutter.

On top of that, it also supports torrent downloads out of the box, and even instant torrent streaming. To find out more, we reached out to lead developer Brian Bondy, who co-founded the project with his colleague Brendan Eich.

“Brave is a new, open source browser designed for both speed and security. It has a built-in adblocker that’s on by default to provide an ad-free and seamless browsing experience,” Bondy tells us.

Bondy says that Brave significantly improves browsing speeds while shielding users again malicious ads. It also offers a wide range of privacy and security features such as HTTPS Everywhere, script blocking, and third-party cookie blocking.

What caught our eye, however, was the built-in support for BitTorrent transfers that came out a short while ago. Powered by the novel WebTorrent technology, Brave can download torrents, through magnet links, directly from the browser.

While torrent downloading in a browser isn’t completely new (Opera has a similar feature, for example) Brave also supports torrent streaming. This means that users can view videos instantly as they would do on a streaming site.

“WebTorrent support lets Brave users stream torrents from their favorite sites right from the browser. There’s no need to use a separate program. This makes using torrents a breeze for beginners, a group that has sometimes found the technology a challenge to work with,” Bondy says.

Brave downloading

The image above shows the basic download page where users can also click on any video file to start streaming instantly. We tested the feature on a variety of magnet links, and it works very well.

On the implementation side, Brave received support from WebTorrent founder Feross Aboukhadijeh, who continues to lend a hand. Right now it is compatible with all traditional torrent clients and support for web peers will be added later.

“WebTorrent in Brave is compatible with all torrent apps. It uses TCP connections, the oldest and most widely supported way for BitTorrent clients to connect. We’re working on adding WebRTC support so that Brave users can connect to ‘web peers’,” Bondy says.

While the downloading and streaming process works well, there is also room for improvement. The user interface is fairly limited, for example, and basic features such as canceling or pausing a torrent are not available yet.

“Currently, we treat magnet links just like any other piece of web content, like a PDF file. To cancel a download, just close the tab,” Bondy notes.

What people should keep in mind though, considering Brave’s focus on privacy, is that torrent transfers are far from anonymous. Without a VPN or other anonymizer, third party tracking outfits are bound to track the downloads or streams.

In addition to torrent streaming, the browser also comes with a Bitcoin-based micropayments system called Brave Payments. This enables users to automatically and privately pay their favorite websites, without being tracked.

Those who are interested in giving the browser a spin can head over to the official website. Brave is currently available a variety of platforms including Windows, Linux, OS X, Android, and iOS.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

ONIOFF – Onion URL Inspector

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/J7Xe0rGGFgY/

ONIOFF is basically an Onion URL inspector, it’s a simple tool – written in pure python – for inspecting Deep Web URLs (or onions). It takes specified onion links and returns their current status along with the site’s title. It’s compatible with Python 2.6 & 2.7. Usage [crayon-58a70fa0d9c31893298873/] To view all available options run:…

Read the full post at darknet.org.uk

Pirate Bay Blockade Signals Copyright Industry’s Death Throes, ISP Boss Says

Post Syndicated from Andy original https://torrentfreak.com/pirate-bay-blockade-signals-copyright-industrys-death-throes-isp-boss-says-170214/

While in practical terms the impact may not be as pronounced as it would’ve been half a decade ago, yesterday a Court of Appeal in Sweden made a landmark decision.

After years of litigation by Universal Music, Sony Music, Warner Music, Nordisk Film and the Swedish Film Industry, local Swedish ISP Bredbandsbolaget (Broadband Company) was ordered to block The Pirate Bay and streaming portal Swefilmer.

The case went to trial at the Stockholm District Court during October 2015, ending in victory for the ISP at the District Court, but the Court of Appeal’s decision unraveled all of that, ordering Bredbandsbolaget to implement “technical measures” to prevent its customers accessing the ‘pirate’ sites through a number of domain names and URLs.

Considering the importance of having The Pirate Bay blocked on home turf, the official response from the industry was somewhat muted. Per Strömbäck, spokesman for the copyright holders, said that it’s good that the legal situation is becoming more clear. Representatives from the ISPs were much more animated.

Bredbandsbolaget itself said it was surprised at the decision, noting that not only does Swedish law does not support it, but it will also fail to achieve its aims.

“The Patent and Market Court of Appeal has not taken into account the intention of the legislator with Swedish law,” the company said.

“Our belief is that this type of blockage is not effective to prevent unlawful distribution of copyrighted work on the internet. Nor is it a good guarantee that creator will get paid for their works.

“Services must evolve and become more customer orientated. The film and television services that grow the most today are those who, instead of seeing the internet as a threat, see opportunities in digitalisation.”

Perhaps unsurprisingly, the reaction of Jon Karlung, boss of ISP Bahnhof, was much more scathing. Karlung has positioned himself and his company as defenders of Internet freedom and this decision has him all kinds of fired up.

“The entire industry is in shock. It is disastrous in so many ways, the judgment is a deathblow to a free and open Internet,” Karlung said.

“We are the postman and the postman does not read people’s mail, or take control over the content. [This ruling signals] the death throes of the copyright industry,” he added.

While the current action involves just a single ISP, it is crystal clear that the copyright holders didn’t come all this way to have just a couple of sites blocked by one provider. They will be back, probably sooner rather than later, to obtain more injunctions against more providers against a broad range of sites.

At this stage, it seems that any site with a large proportion of infringing content could become a target and Karlung is concerned just how far things could go.

“One can almost think of what the consequences are going to be. There’s copyrighted content on YouTube. And should we block Google, how will that work?”

According to Bredbandsbolaget’s interpretation of the Court ruling, it must block specific URLs to stop customers getting access to The Pirate Bay. However, there are fines attached if the ISP fails to do so and as everyone knows, blocking the site can be extremely difficult. As a result, the ISP says it needs time to work things out.

“Exactly what is it to be blocked? This is very technically complicated. It is extremely difficult to block access to sites. What this actually means to us, we need to analyze in detail,” the ISP said.

But for Bahnhof’s Jon Karlung, the approach seems more adversarial. At some point, it is almost certain his company will be subjected to a similar injunction that will force it to block The Pirate Bay, something the ISP chief vehemently opposes. However, speaking with HD.se, the Swede hinted at another possibility.

Co-opting the Court of Appeal’s instructions for Bredbandsbolaget to use “technical measures” to block The Pirate Bay, Karlung told the publication he may yet introduce “technical countermeasures” for the convenience of his customers.

Quite what that means is unclear, but offering VPN-like services is something that the company is already familiar with. Way back in 2014, Bahnhof provided its customers with a no-logging VPN service to protect their privacy.

That being said, if it chose to offer something along similar lines to unblock The Pirate Bay, the situation could get very interesting indeed.

In the UK, where a similar injunction forbids the country’s leading ISPs from providing customer access to The Pirate Bay, dozens of smaller ISPs still legally allow their customers to access the site. However, back in 2014 when a proxy provider decided to do the same, he was arrested by police. He’s still awaiting trial.

Either way, one gets the impression that the war for the so-called “free and open Internet” is far from over in Sweden – and there are still some people left that are prepared to fight for it.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

The Dystopia of Minority Report Needs Proprietary Software

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2017/02/13/Turow.html

I encourage all of you to either listen to or read the transcript of Terry
Gross’ Fresh Air interview with Joseph Turow about his discussion
of his book “The Aisles Have Eyes: How Retailers Track Your Shopping,
Strip Your Privacy, And Define Your Power”.

Now, most of you who read my blog know the difference between proprietary
and Free Software, and the difference between a network service and
software that runs on your own device. I want all of you have a good
understanding of that to do a simple thought experiment:

How many of the horrible things that Turow talks about can happen if there
is no proprietary software on your IoT or mobile devices?

AFAICT, other than the facial recognition in the store itself that he
talked about in Russia, everything he talks about would be mitigated or
eliminated completely as a thread if users could modify the software on
their devices.

Yes, universal software freedom will not solve all the worlds’ problems.
But it does solve a lot of them, at least with regard to the bad things the
powerful want to do to us via technology.

(BTW, the blog title is a reference
to Philip
K. Dick’s Minority Report
, which includes a scene about
systems reading people’s eyes to target-market to them. It’s not the main
theme of that particular book, though… Dick was always going off on
tangents in his books.)

AWS Announces CISPE Membership and Compliance with First-Ever Code of Conduct for Data Protection in the Cloud

Post Syndicated from Stephen Schmidt original https://aws.amazon.com/blogs/security/aws-announces-cispe-membership-and-compliance-with-first-ever-code-of-conduct-for-data-protection-in-the-cloud/

CISPE logo

I have two exciting announcements today, both showing AWS’s continued commitment to ensuring that customers can comply with EU Data Protection requirements when using our services.

AWS and CISPE

First, I’m pleased to announce AWS’s membership in the Association of Cloud Infrastructure Services Providers in Europe (CISPE).

CISPE is a coalition of about twenty cloud infrastructure (also known as Infrastructure as a Service) providers who offer cloud services to customers in Europe. CISPE was created to promote data security and compliance within the context of cloud infrastructure services. This is a vital undertaking: both customers and providers now understand that cloud infrastructure services are very different from traditional IT services (and even from other cloud services such as Software as a Service). Many entities were treating all cloud services as the same in the context of data protection, which led to confusion on both the part of the customer and providers with regard to their individual obligations.

One of CISPE’s key priorities is to ensure customers get what they need from their cloud infrastructure service providers in order to comply with the new EU General Data Protection Regulation (GDPR). With the publication of its Data Protection Code of Conduct for Cloud Infrastructure Services Providers, CISPE has already made significant progress in this space.

AWS and the Code of Conduct

My second announcement is in regard to the CISPE Code of Conduct itself. I’m excited to inform you that today, AWS has declared that Amazon EC2, Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon Elastic Block Store (Amazon EBS) are now fully compliant with the aforementioned CISPE Code of Conduct. This provides our customers with additional assurances that they fully control their data in a safe, secure, and compliant environment when they use AWS. Our compliance with the Code of Conduct adds to the long list of internationally recognized certifications and accreditations AWS already has, including ISO 27001, ISO 27018, ISO 9001, SOC 1, SOC 2, SOC 3, PCI DSS Level 1, and many more.

Additionally, the Code of Conduct is a powerful tool to help our customers who must comply with the EU GDPR.

A few key benefits of the Code of Conduct include:

  • Clarifying who is responsible for what when it comes to data protection: The Code of Conduct explains the role of both the provider and the customer under the GDPR, specifically within the context of cloud infrastructure services.
  • The Code of Conduct sets out what principles providers should adhere to: The Code of Conduct develops key principles within the GDPR about clear actions and commitments that providers should undertake to help customers comply. Customers can rely on these concrete benefits in their own compliance and data protection strategies.
  • The Code of Conduct gives customers the security information they need to make decisions about compliance: The Code of Conduct requires providers to be transparent about the steps they are taking to deliver on their security commitments. To name but a few, these steps involve notification around data breaches, data deletion, and third-party sub-processing, as well as law enforcement and governmental requests. Customers can use this information to fully understand the high levels of security provided.

I’m proud that AWS is now a member of CISPE and that we’ve played a part in the development of the Code of Conduct. Due to the very specific considerations that apply to cloud infrastructure services, and given the general lack of understanding of how cloud infrastructure services actually work, there is a clear need for an association such as CISPE. It’s important for AWS to play an active role in CISPE in order to represent the best interests of our customers, particularly when it comes to the EU Data Protection requirements.

AWS has always been committed to enabling our customers to meet their data protection needs. Whether it’s allowing our customers to choose where in the world they wish to store their content, obtaining approval from the EU Data Protection authorities (known as the Article 29 Working Party) of the AWS Data Processing Addendum and Model Clauses to enable transfers of personal data outside Europe, or simply being transparent about the way our services operate, we work hard to be market leaders in the area of security, compliance, and data protection.

Our decision to participate in CISPE and its Code of Conduct sends a clear a message to our customers that we continue to take data protection very seriously.

– Steve

Security and Privacy Guidelines for the Internet of Things

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/02/security_and_pr.html

Lately, I have been collecting IoT security and privacy guidelines. Here’s everything I’ve found:

  1. Internet of Things (IoT) Broadband Internet Technical Advisory Group, Broadband Internet Technical Advisory Group, Nov 2016.
  2. IoT Security Guidance,” Open Web Application Security Project (OWASP), May 2016.

  3. Strategic Principles for Securing the Internet of Things (IoT),” US Department of Homeland Security, Nov 2016.

  4. Security,” OneM2M Technical Specification, Aug 2016.

  5. Security Solutions,” OneM2M Technical Specification, Aug 2016.

  6. IoT Security Guidelines Overview Document,” GSM Alliance, Feb 2016.

  7. IoT Security Guidelines For Service Ecosystems,” GSM Alliance, Feb 2016.

  8. IoT Security Guidelines for Endpoint Ecosystems,” GSM Alliance, Feb 2016.

  9. IoT Security Guidelines for Network Operators,” GSM Alliance, Feb 2016.

  10. Establishing Principles for Internet of Things Security,” IoT Security Foundation, undated.

  11. IoT Design Manifesto,” May 2015.

  12. NYC Guidelines for the Internet of Things,” City of New York, undated.

  13. IoT Security Compliance Framework,” IoT Security Foundation, 2016.

  14. Principles, Practices and a Prescription for Responsible IoT and Embedded Systems Development,” IoTIAP, Nov 2016.

  15. IoT Trust Framework,” Online Trust Alliance, Jan 2017.

  16. Five Star Automotive Cyber Safety Framework,” I am the Cavalry, Feb 2015.

  17. Hippocratic Oath for Connected Medical Devices,” I am the Cavalry, Jan 2016.

Other, related, items:

  1. We All Live in the Computer Now,” The Netgain Partnership, Oct 2016.
  2. Comments of EPIC to the FTC on the Privacy and Security Implications of the Internet of Things,” Electronic Privacy Information Center, Jun 2013.

  3. Internet of Things Software Update Workshop (IoTSU),” Internet Architecture Board, Jun 2016.

They all largely say the same things: avoid known vulnerabilities, don’t have insecure defaults, make your systems patchable, and so on.

My guess is that everyone knows that IoT regulation is coming, and is either trying to impose self-regulation to forestall government action or establish principles to influence government action. It’ll be interesting to see how the next few years unfold.

If there are any IoT security or privacy guideline documents that I’m missing, please tell me in the comments.

Steal This Show S02E10: In Surveillance Valley

Post Syndicated from Ernesto original https://torrentfreak.com/steal-show-s02e10-surveillance-valley/

stslogo180If you enjoy this episode, consider becoming a patron and getting involved with the show. Check out Steal This Show’s Patreon campaign: support us and get all kinds of fantastic benefits!

This episode features journalist and writer Yasha Levine discussing some of the topics covered in his forthcoming book, Surveillance Valley.

Yasha argues that the biggest threat to our privacy comes not directly from the government, but via the ubiquitous corporate platforms we all use every day – including Google, Facebook, eBay and others – and the ‘data brokers’ that buy and sell the most intimate information about our lives.

Steal This Show aims to release bi-weekly episodes featuring insiders discussing copyright and file-sharing news. It complements our regular reporting by adding more room for opinion, commentary, and analysis.

The guests for our news discussions will vary, and we’ll aim to introduce voices from different backgrounds and persuasions. In addition to news, STS will also produce features interviewing some of the great innovators and minds.

Host: Jamie King

Guest: Yasha Levine

Produced by Jamie King
Edited & Mixed by Riley Byrne
Original Music by David Triana
Web Production by Siraje Amarniss

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Dark Web Paying Corporate Workers To Leak Info

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/zVyI8cb3Wrs/

This is not particularly new news, but the Dark Web paying corporate workers to leak info – especially pertaining to stock prices (earnings reports etc) is setting the mainstream news on fire at the moment. It’s also funny because people constantly contact us asking questions about the ‘Dark Web’ aka the ‘Dark Net’ which happens […]

The…

Read the full post at darknet.org.uk

Security and the Internet of Things

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/02/security_and_th.html

Last year, on October 21, your digital video recorder ­- or at least a DVR like yours ­- knocked Twitter off the internet. Someone used your DVR, along with millions of insecure webcams, routers, and other connected devices, to launch an attack that started a chain reaction, resulting in Twitter, Reddit, Netflix, and many sites going off the internet. You probably didn’t realize that your DVR had that kind of power. But it does.

All computers are hackable. This has as much to do with the computer market as it does with the technologies. We prefer our software full of features and inexpensive, at the expense of security and reliability. That your computer can affect the security of Twitter is a market failure. The industry is filled with market failures that, until now, have been largely ignorable. As computers continue to permeate our homes, cars, businesses, these market failures will no longer be tolerable. Our only solution will be regulation, and that regulation will be foisted on us by a government desperate to “do something” in the face of disaster.

In this article I want to outline the problems, both technical and political, and point to some regulatory solutions. Regulation might be a dirty word in today’s political climate, but security is the exception to our small-government bias. And as the threats posed by computers become greater and more catastrophic, regulation will be inevitable. So now’s the time to start thinking about it.

We also need to reverse the trend to connect everything to the internet. And if we risk harm and even death, we need to think twice about what we connect and what we deliberately leave uncomputerized.

If we get this wrong, the computer industry will look like the pharmaceutical industry, or the aircraft industry. But if we get this right, we can maintain the innovative environment of the internet that has given us so much.

**********

We no longer have things with computers embedded in them. We have computers with things attached to them.

Your modern refrigerator is a computer that keeps things cold. Your oven, similarly, is a computer that makes things hot. An ATM is a computer with money inside. Your car is no longer a mechanical device with some computers inside; it’s a computer with four wheels and an engine. Actually, it’s a distributed system of over 100 computers with four wheels and an engine. And, of course, your phones became full-power general-purpose computers in 2007, when the iPhone was introduced.

We wear computers: fitness trackers and computer-enabled medical devices ­- and, of course, we carry our smartphones everywhere. Our homes have smart thermostats, smart appliances, smart door locks, even smart light bulbs. At work, many of those same smart devices are networked together with CCTV cameras, sensors that detect customer movements, and everything else. Cities are starting to embed smart sensors in roads, streetlights, and sidewalk squares, also smart energy grids and smart transportation networks. A nuclear power plant is really just a computer that produces electricity, and ­- like everything else we’ve just listed -­ it’s on the internet.

The internet is no longer a web that we connect to. Instead, it’s a computerized, networked, and interconnected world that we live in. This is the future, and what we’re calling the Internet of Things.

Broadly speaking, the Internet of Things has three parts. There are the sensors that collect data about us and our environment: smart thermostats, street and highway sensors, and those ubiquitous smartphones with their motion sensors and GPS location receivers. Then there are the “smarts” that figure out what the data means and what to do about it. This includes all the computer processors on these devices and ­- increasingly ­- in the cloud, as well as the memory that stores all of this information. And finally, there are the actuators that affect our environment. The point of a smart thermostat isn’t to record the temperature; it’s to control the furnace and the air conditioner. Driverless cars collect data about the road and the environment to steer themselves safely to their destinations.

You can think of the sensors as the eyes and ears of the internet. You can think of the actuators as the hands and feet of the internet. And you can think of the stuff in the middle as the brain. We are building an internet that senses, thinks, and acts.

This is the classic definition of a robot. We’re building a world-size robot, and we don’t even realize it.

To be sure, it’s not a robot in the classical sense. We think of robots as discrete autonomous entities, with sensors, brain, and actuators all together in a metal shell. The world-size robot is distributed. It doesn’t have a singular body, and parts of it are controlled in different ways by different people. It doesn’t have a central brain, and it has nothing even remotely resembling a consciousness. It doesn’t have a single goal or focus. It’s not even something we deliberately designed. It’s something we have inadvertently built out of the everyday objects we live with and take for granted. It is the extension of our computers and networks into the real world.

This world-size robot is actually more than the Internet of Things. It’s a combination of several decades-old computing trends: mobile computing, cloud computing, always-on computing, huge databases of personal information, the Internet of Things ­- or, more precisely, cyber-physical systems ­- autonomy, and artificial intelligence. And while it’s still not very smart, it’ll get smarter. It’ll get more powerful and more capable through all the interconnections we’re building.

It’ll also get much more dangerous.

**********

Computer security has been around for almost as long as computers have been. And while it’s true that security wasn’t part of the design of the original internet, it’s something we have been trying to achieve since its beginning.

I have been working in computer security for over 30 years: first in cryptography, then more generally in computer and network security, and now in general security technology. I have watched computers become ubiquitous, and have seen firsthand the problems ­- and solutions ­- of securing these complex machines and systems. I’m telling you all this because what used to be a specialized area of expertise now affects everything. Computer security is now everything security. There’s one critical difference, though: The threats have become greater.

Traditionally, computer security is divided into three categories: confidentiality, integrity, and availability. For the most part, our security concerns have largely centered around confidentiality. We’re concerned about our data and who has access to it ­- the world of privacy and surveillance, of data theft and misuse.

But threats come in many forms. Availability threats: computer viruses that delete our data, or ransomware that encrypts our data and demands payment for the unlock key. Integrity threats: hackers who can manipulate data entries can do things ranging from changing grades in a class to changing the amount of money in bank accounts. Some of these threats are pretty bad. Hospitals have paid tens of thousands of dollars to criminals whose ransomware encrypted critical medical files. JPMorgan Chase spends half a billion on cybersecurity a year.

Today, the integrity and availability threats are much worse than the confidentiality threats. Once computers start affecting the world in a direct and physical manner, there are real risks to life and property. There is a fundamental difference between crashing your computer and losing your spreadsheet data, and crashing your pacemaker and losing your life. This isn’t hyperbole; recently researchers found serious security vulnerabilities in St. Jude Medical’s implantable heart devices. Give the internet hands and feet, and it will have the ability to punch and kick.

Take a concrete example: modern cars, those computers on wheels. The steering wheel no longer turns the axles, nor does the accelerator pedal change the speed. Every move you make in a car is processed by a computer, which does the actual controlling. A central computer controls the dashboard. There’s another in the radio. The engine has 20 or so computers. These are all networked, and increasingly autonomous.

Now, let’s start listing the security threats. We don’t want car navigation systems to be used for mass surveillance, or the microphone for mass eavesdropping. We might want it to be used to determine a car’s location in the event of a 911 call, and possibly to collect information about highway congestion. We don’t want people to hack their own cars to bypass emissions-control limitations. We don’t want manufacturers or dealers to be able to do that, either, as Volkswagen did for years. We can imagine wanting to give police the ability to remotely and safely disable a moving car; that would make high-speed chases a thing of the past. But we definitely don’t want hackers to be able to do that. We definitely don’t want them disabling the brakes in every car without warning, at speed. As we make the transition from driver-controlled cars to cars with various driver-assist capabilities to fully driverless cars, we don’t want any of those critical components subverted. We don’t want someone to be able to accidentally crash your car, let alone do it on purpose. And equally, we don’t want them to be able to manipulate the navigation software to change your route, or the door-lock controls to prevent you from opening the door. I could go on.

That’s a lot of different security requirements, and the effects of getting them wrong range from illegal surveillance to extortion by ransomware to mass death.

**********

Our computers and smartphones are as secure as they are because companies like Microsoft, Apple, and Google spend a lot of time testing their code before it’s released, and quickly patch vulnerabilities when they’re discovered. Those companies can support large, dedicated teams because those companies make a huge amount of money, either directly or indirectly, from their software ­ and, in part, compete on its security. Unfortunately, this isn’t true of embedded systems like digital video recorders or home routers. Those systems are sold at a much lower margin, and are often built by offshore third parties. The companies involved simply don’t have the expertise to make them secure.

At a recent hacker conference, a security researcher analyzed 30 home routers and was able to break into half of them, including some of the most popular and common brands. The denial-of-service attacks that forced popular websites like Reddit and Twitter off the internet last October were enabled by vulnerabilities in devices like webcams and digital video recorders. In August, two security researchers demonstrated a ransomware attack on a smart thermostat.

Even worse, most of these devices don’t have any way to be patched. Companies like Microsoft and Apple continuously deliver security patches to your computers. Some home routers are technically patchable, but in a complicated way that only an expert would attempt. And the only way for you to update the firmware in your hackable DVR is to throw it away and buy a new one.

The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

**********

Security is an arms race between attacker and defender. Technology perturbs that arms race by changing the balance between attacker and defender. Understanding how this arms race has unfolded on the internet is essential to understanding why the world-size robot we’re building is so insecure, and how we might secure it. To that end, I have five truisms, born from what we’ve already learned about computer and internet security. They will soon affect the security arms race everywhere.

Truism No. 1: On the internet, attack is easier than defense.

There are many reasons for this, but the most important is the complexity of these systems. More complexity means more people involved, more parts, more interactions, more mistakes in the design and development process, more of everything where hidden insecurities can be found. Computer-security experts like to speak about the attack surface of a system: all the possible points an attacker might target and that must be secured. A complex system means a large attack surface. The defender has to secure the entire attack surface. The attacker just has to find one vulnerability ­- one unsecured avenue for attack -­ and gets to choose how and when to attack. It’s simply not a fair battle.

There are other, more general, reasons why attack is easier than defense. Attackers have a natural agility that defenders often lack. They don’t have to worry about laws, and often not about morals or ethics. They don’t have a bureaucracy to contend with, and can more quickly make use of technical innovations. Attackers also have a first-mover advantage. As a society, we’re generally terrible at proactive security; we rarely take preventive security measures until an attack actually happens. So more advantages go to the attacker.

Truism No. 2: Most software is poorly written and insecure.

If complexity isn’t enough, we compound the problem by producing lousy software. Well-written software, like the kind found in airplane avionics, is both expensive and time-consuming to produce. We don’t want that. For the most part, poorly written software has been good enough. We’d all rather live with buggy software than pay the prices good software would require. We don’t mind if our games crash regularly, or our business applications act weird once in a while. Because software has been largely benign, it hasn’t mattered. This has permeated the industry at all levels. At universities, we don’t teach how to code well. Companies don’t reward quality code in the same way they reward fast and cheap. And we consumers don’t demand it.

But poorly written software is riddled with bugs, sometimes as many as one per 1,000 lines of code. Some of them are inherent in the complexity of the software, but most are programming mistakes. Not all bugs are vulnerabilities, but some are.

Truism No. 3: Connecting everything to each other via the internet will expose new vulnerabilities.

The more we network things together, the more vulnerabilities on one thing will affect other things. On October 21, vulnerabilities in a wide variety of embedded devices were all harnessed together to create what hackers call a botnet. This botnet was used to launch a distributed denial-of-service attack against a company called Dyn. Dyn provided a critical internet function for many major internet sites. So when Dyn went down, so did all those popular websites.

These chains of vulnerabilities are everywhere. In 2012, journalist Mat Honan suffered a massive personal hack because of one of them. A vulnerability in his Amazon account allowed hackers to get into his Apple account, which allowed them to get into his Gmail account. And in 2013, the Target Corporation was hacked by someone stealing credentials from its HVAC contractor.

Vulnerabilities like these are particularly hard to fix, because no one system might actually be at fault. It might be the insecure interaction of two individually secure systems.

Truism No. 4: Everybody has to stop the best attackers in the world.

One of the most powerful properties of the internet is that it allows things to scale. This is true for our ability to access data or control systems or do any of the cool things we use the internet for, but it’s also true for attacks. In general, fewer attackers can do more damage because of better technology. It’s not just that these modern attackers are more efficient, it’s that the internet allows attacks to scale to a degree impossible without computers and networks.

This is fundamentally different from what we’re used to. When securing my home against burglars, I am only worried about the burglars who live close enough to my home to consider robbing me. The internet is different. When I think about the security of my network, I have to be concerned about the best attacker possible, because he’s the one who’s going to create the attack tool that everyone else will use. The attacker that discovered the vulnerability used to attack Dyn released the code to the world, and within a week there were a dozen attack tools using it.

Truism No. 5: Laws inhibit security research.

The Digital Millennium Copyright Act is a terrible law that fails at its purpose of preventing widespread piracy of movies and music. To make matters worse, it contains a provision that has critical side effects. According to the law, it is a crime to bypass security mechanisms that protect copyrighted work, even if that bypassing would otherwise be legal. Since all software can be copyrighted, it is arguably illegal to do security research on these devices and to publish the result.

Although the exact contours of the law are arguable, many companies are using this provision of the DMCA to threaten researchers who expose vulnerabilities in their embedded systems. This instills fear in researchers, and has a chilling effect on research, which means two things: (1) Vendors of these devices are more likely to leave them insecure, because no one will notice and they won’t be penalized in the market, and (2) security engineers don’t learn how to do security better.
Unfortunately, companies generally like the DMCA. The provisions against reverse-engineering spare them the embarrassment of having their shoddy security exposed. It also allows them to build proprietary systems that lock out competition. (This is an important one. Right now, your toaster cannot force you to only buy a particular brand of bread. But because of this law and an embedded computer, your Keurig coffee maker can force you to buy a particular brand of coffee.)

**********
In general, there are two basic paradigms of security. We can either try to secure something well the first time, or we can make our security agile. The first paradigm comes from the world of dangerous things: from planes, medical devices, buildings. It’s the paradigm that gives us secure design and secure engineering, security testing and certifications, professional licensing, detailed preplanning and complex government approvals, and long times-to-market. It’s security for a world where getting it right is paramount because getting it wrong means people dying.

The second paradigm comes from the fast-moving and heretofore largely benign world of software. In this paradigm, we have rapid prototyping, on-the-fly updates, and continual improvement. In this paradigm, new vulnerabilities are discovered all the time and security disasters regularly happen. Here, we stress survivability, recoverability, mitigation, adaptability, and muddling through. This is security for a world where getting it wrong is okay, as long as you can respond fast enough.

These two worlds are colliding. They’re colliding in our cars -­ literally -­ in our medical devices, our building control systems, our traffic control systems, and our voting machines. And although these paradigms are wildly different and largely incompatible, we need to figure out how to make them work together.

So far, we haven’t done very well. We still largely rely on the first paradigm for the dangerous computers in cars, airplanes, and medical devices. As a result, there are medical systems that can’t have security patches installed because that would invalidate their government approval. In 2015, Chrysler recalled 1.4 million cars to fix a software vulnerability. In September 2016, Tesla remotely sent a security patch to all of its Model S cars overnight. Tesla sure sounds like it’s doing things right, but what vulnerabilities does this remote patch feature open up?

**********
Until now we’ve largely left computer security to the market. Because the computer and network products we buy and use are so lousy, an enormous after-market industry in computer security has emerged. Governments, companies, and people buy the security they think they need to secure themselves. We’ve muddled through well enough, but the market failures inherent in trying to secure this world-size robot will soon become too big to ignore.

Markets alone can’t solve our security problems. Markets are motivated by profit and short-term goals at the expense of society. They can’t solve collective-action problems. They won’t be able to deal with economic externalities, like the vulnerabilities in DVRs that resulted in Twitter going offline. And we need a counterbalancing force to corporate power.

This all points to policy. While the details of any computer-security system are technical, getting the technologies broadly deployed is a problem that spans law, economics, psychology, and sociology. And getting the policy right is just as important as getting the technology right because, for internet security to work, law and technology have to work together. This is probably the most important lesson of Edward Snowden’s NSA disclosures. We already knew that technology can subvert law. Snowden demonstrated that law can also subvert technology. Both fail unless each work. It’s not enough to just let technology do its thing.

Any policy changes to secure this world-size robot will mean significant government regulation. I know it’s a sullied concept in today’s world, but I don’t see any other possible solution. It’s going to be especially difficult on the internet, where its permissionless nature is one of the best things about it and the underpinning of its most world-changing innovations. But I don’t see how that can continue when the internet can affect the world in a direct and physical manner.

**********

I have a proposal: a new government regulatory agency. Before dismissing it out of hand, please hear me out.

We have a practical problem when it comes to internet regulation. There’s no government structure to tackle this at a systemic level. Instead, there’s a fundamental mismatch between the way government works and the way this technology works that makes dealing with this problem impossible at the moment.

Government operates in silos. In the U.S., the FAA regulates aircraft. The NHTSA regulates cars. The FDA regulates medical devices. The FCC regulates communications devices. The FTC protects consumers in the face of “unfair” or “deceptive” trade practices. Even worse, who regulates data can depend on how it is used. If data is used to influence a voter, it’s the Federal Election Commission’s jurisdiction. If that same data is used to influence a consumer, it’s the FTC’s. Use those same technologies in a school, and the Department of Education is now in charge. Robotics will have its own set of problems, and no one is sure how that is going to be regulated. Each agency has a different approach and different rules. They have no expertise in these new issues, and they are not quick to expand their authority for all sorts of reasons.

Compare that with the internet. The internet is a freewheeling system of integrated objects and networks. It grows horizontally, demolishing old technological barriers so that people and systems that never previously communicated now can. Already, apps on a smartphone can log health information, control your energy use, and communicate with your car. That’s a set of functions that crosses jurisdictions of at least four different government agencies, and it’s only going to get worse.

Our world-size robot needs to be viewed as a single entity with millions of components interacting with each other. Any solutions here need to be holistic. They need to work everywhere, for everything. Whether we’re talking about cars, drones, or phones, they’re all computers.

This has lots of precedent. Many new technologies have led to the formation of new government regulatory agencies. Trains did, cars did, airplanes did. Radio led to the formation of the Federal Radio Commission, which became the FCC. Nuclear power led to the formation of the Atomic Energy Commission, which eventually became the Department of Energy. The reasons were the same in every case. New technologies need new expertise because they bring with them new challenges. Governments need a single agency to house that new expertise, because its applications cut across several preexisting agencies. It’s less that the new agency needs to regulate -­ although that’s often a big part of it -­ and more that governments recognize the importance of the new technologies.

The internet has famously eschewed formal regulation, instead adopting a multi-stakeholder model of academics, businesses, governments, and other interested parties. My hope is that we can keep the best of this approach in any regulatory agency, looking more at the new U.S. Digital Service or the 18F office inside the General Services Administration. Both of those organizations are dedicated to providing digital government services, and both have collected significant expertise by bringing people in from outside of government, and both have learned how to work closely with existing agencies. Any internet regulatory agency will similarly need to engage in a high level of collaborate regulation -­ both a challenge and an opportunity.

I don’t think any of us can predict the totality of the regulations we need to ensure the safety of this world, but here’s a few. We need government to ensure companies follow good security practices: testing, patching, secure defaults -­ and we need to be able to hold companies liable when they fail to do these things. We need government to mandate strong personal data protections, and limitations on data collection and use. We need to ensure that responsible security research is legal and well-funded. We need to enforce transparency in design, some sort of code escrow in case a company goes out of business, and interoperability between devices of different manufacturers, to counterbalance the monopolistic effects of interconnected technologies. Individuals need the right to take their data with them. And internet-enabled devices should retain some minimal functionality if disconnected from the internet

I’m not the only one talking about this. I’ve seen proposals for a National Institutes of Health analog for cybersecurity. University of Washington law professor Ryan Calo has proposed a Federal Robotics Commission. I think it needs to be broader: maybe a Department of Technology Policy.

Of course there will be problems. There’s a lack of expertise in these issues inside government. There’s a lack of willingness in government to do the hard regulatory work. Industry is worried about any new bureaucracy: both that it will stifle innovation by regulating too much and that it will be captured by industry and regulate too little. A domestic regulatory agency will have to deal with the fundamentally international nature of the problem.

But government is the entity we use to solve problems like this. Governments have the scope, scale, and balance of interests to address the problems. It’s the institution we’ve built to adjudicate competing social interests and internalize market externalities. Left to their own devices, the market simply can’t. That we’re currently in the middle of an era of low government trust, where many of us can’t imagine government doing anything positive in an area like this, is to our detriment.

Here’s the thing: Governments will get involved, regardless. The risks are too great, and the stakes are too high. Government already regulates dangerous physical systems like cars and medical devices. And nothing motivates the U.S. government like fear. Remember 2001? A nominally small-government Republican president created the Office of Homeland Security 11 days after the terrorist attacks: a rushed and ill-thought-out decision that we’ve been trying to fix for over a decade. A fatal disaster will similarly spur our government into action, and it’s unlikely to be well-considered and thoughtful action. Our choice isn’t between government involvement and no government involvement. Our choice is between smarter government involvement and stupider government involvement. We have to start thinking about this now. Regulations are necessary, important, and complex; and they’re coming. We can’t afford to ignore these issues until it’s too late.

We also need to start disconnecting systems. If we cannot secure complex systems to the level required by their real-world capabilities, then we must not build a world where everything is computerized and interconnected.

There are other models. We can enable local communications only. We can set limits on collected and stored data. We can deliberately design systems that don’t interoperate with each other. We can deliberately fetter devices, reversing the current trend of turning everything into a general-purpose computer. And, most important, we can move toward less centralization and more distributed systems, which is how the internet was first envisioned.

This might be a heresy in today’s race to network everything, but large, centralized systems are not inevitable. The technical elites are pushing us in that direction, but they really don’t have any good supporting arguments other than the profits of their ever-growing multinational corporations.

But this will change. It will change not only because of security concerns, it will also change because of political concerns. We’re starting to chafe under the worldview of everything producing data about us and what we do, and that data being available to both governments and corporations. Surveillance capitalism won’t be the business model of the internet forever. We need to change the fabric of the internet so that evil governments don’t have the tools to create a horrific totalitarian state. And while good laws and regulations in Western democracies are a great second line of defense, they can’t be our only line of defense.

My guess is that we will soon reach a high-water mark of computerization and connectivity, and that afterward we will make conscious decisions about what and how we decide to interconnect. But we’re still in the honeymoon phase of connectivity. Governments and corporations are punch-drunk on our data, and the rush to connect everything is driven by an even greater desire for power and market share. One of the presentations released by Edward Snowden contained the NSA mantra: “Collect it all.” A similar mantra for the internet today might be: “Connect it all.”

The inevitable backlash will not be driven by the market. It will be deliberate policy decisions that put the safety and welfare of society above individual corporations and industries. It will be deliberate policy decisions that prioritize the security of our systems over the demands of the FBI to weaken them in order to make their law-enforcement jobs easier. It’ll be hard policy for many to swallow, but our safety will depend on it.

**********

The scenarios I’ve outlined, both the technological and economic trends that are causing them and the political changes we need to make to start to fix them, come from my years of working in internet-security technology and policy. All of this is informed by an understanding of both technology and policy. That turns out to be critical, and there aren’t enough people who understand both.

This brings me to my final plea: We need more public-interest technologists.

Over the past couple of decades, we’ve seen examples of getting internet-security policy badly wrong. I’m thinking of the FBI’s “going dark” debate about its insistence that computer devices be designed to facilitate government access, the “vulnerability equities process” about when the government should disclose and fix a vulnerability versus when it should use it to attack other systems, the debacle over paperless touch-screen voting machines, and the DMCA that I discussed above. If you watched any of these policy debates unfold, you saw policy-makers and technologists talking past each other.

Our world-size robot will exacerbate these problems. The historical divide between Washington and Silicon Valley -­ the mistrust of governments by tech companies and the mistrust of tech companies by governments ­- is dangerous.

We have to fix this. Getting IoT security right depends on the two sides working together and, even more important, having people who are experts in each working on both. We need technologists to get involved in policy, and we need policy-makers to get involved in technology. We need people who are experts in making both technology and technological policy. We need technologists on congressional staffs, inside federal agencies, working for NGOs, and as part of the press. We need to create a viable career path for public-interest technologists, much as there already is one for public-interest attorneys. We need courses, and degree programs in colleges, for people interested in careers in public-interest technology. We need fellowships in organizations that need these people. We need technology companies to offer sabbaticals for technologists wanting to go down this path. We need an entire ecosystem that supports people bridging the gap between technology and law. We need a viable career path that ensures that even though people in this field won’t make as much as they would in a high-tech start-up, they will have viable careers. The security of our computerized and networked future ­ meaning the security of ourselves, families, homes, businesses, and communities ­ depends on it.

This plea is bigger than security, actually. Pretty much all of the major policy debates of this century will have a major technological component. Whether it’s weapons of mass destruction, robots drastically affecting employment, climate change, food safety, or the increasing ubiquity of ever-shrinking drones, understanding the policy means understanding the technology. Our society desperately needs technologists working on the policy. The alternative is bad policy.

**********

The world-size robot is less designed than created. It’s coming without any forethought or architecting or planning; most of us are completely unaware of what we’re building. In fact, I am not convinced we can actually design any of this. When we try to design complex sociotechnical systems like this, we are regularly surprised by their emergent properties. The best we can do is observe and channel these properties as best we can.

Market thinking sometimes makes us lose sight of the human choices and autonomy at stake. Before we get controlled ­ or killed ­ by the world-size robot, we need to rebuild confidence in our collective governance institutions. Law and policy may not seem as cool as digital tech, but they’re also places of critical innovation. They’re where we collectively bring about the world we want to live in.

While I might sound like a Cassandra, I’m actually optimistic about our future. Our society has tackled bigger problems than this one. It takes work and it’s not easy, but we eventually find our way clear to make the hard choices necessary to solve our real problems.

The world-size robot we’re building can only be managed responsibly if we start making real choices about the interconnected world we live in. Yes, we need security systems as robust as the threat landscape. But we also need laws that effectively regulate these dangerous technologies. And, more generally, we need to make moral, ethical, and political decisions on how those systems should work. Until now, we’ve largely left the internet alone. We gave programmers a special right to code cyberspace as they saw fit. This was okay because cyberspace was separate and relatively unimportant: That is, it didn’t matter. Now that that’s changed, we can no longer give programmers and the companies they work for this power. Those moral, ethical, and political decisions need, somehow, to be made by everybody. We need to link people with the same zeal that we are currently linking machines. “Connect it all” must be countered with “connect us all.”

This essay previously appeared in New York Magazine.

New Rules on Data Privacy for Non-US Citizens

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/01/new_rules_on_da.html

Last week, President Trump signed an executive order affecting the privacy rights of non-US citizens with respect to data residing in the US.

Here’s the relevant text:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

At issue is the EU-US Privacy Shield, which is the voluntary agreement among the US government, US companies, and the EU that makes it possible for US companies to store Europeans’ data without having to follow all EU privacy requirements.

Interpretations of what this means are all over the place: from extremely bad, to more measured, to don’t worry and we still have PPD-28.

This is clearly still in flux. And, like pretty much everything so far in the Trump administration, we have no idea where this is headed.

User Network-to-Amazon VPC Connectivity for Applications Hosted on AWS

Post Syndicated from Ana Visneski original https://aws.amazon.com/blogs/aws/user-network-to-amazon-vpc-connectivity-for-applications-hosted-on-aws/

With so much going on at AWS, we often hear from readers asking for ways to help them make more informed decisions, or put together examples for their planning processes. Joining us today is Jim Carroll, a Sr. Category Leader with Amazon Marketplace to talk about AWS Networking services and solutions in the AWS Marketplace.

-Ana


Last month we announced the new AWS Region in London. This new region expands our global infrastructure and provides our partners and customers with even more geographic options to cost-effectively scale and meet compliance and data residency requirements. This announcement is fresh in my mind because of conversations I’ve had recently with our customers about the AWS networking services and solutions in AWS Marketplace that they leverage to connect their corporate network to their virtual private network on the AWS Cloud.

Customers typically deploy this architecture with AWS in order to support one or a combination of business needs:

  • Migrate applications to the AWS Cloud over time
  • Quickly and cost-effectively scale their network for branch office and remote connectivity, improving end user experience while migrating applications to the AWS Cloud
  • Ensure compliance and data residency requirements are met

Today, I will overview the VPN options available to customers with these business needs, to help simplify their decision-making. With Amazon VPC, you can configure an AWS managed VPN, use private circuit connectivity with AWS Direct Connect, and enable third-party networking software on your VPC for VPN connectivity. You may also choose a client-to-site VPN that allows users to directly access AWS from their desktop or mobile devices.

Steve Morad’s 2014 whitepaper, Amazon Virtual Private Cloud Connectivity Options, provides an overview of the remote network-to-Amazon VPC connectivity options. The table below summarizes these insights, followed by considerations for selecting an AWS managed VPN or a user-managed software VPN end-point in your virtual network on AWS. This discussion contains information from Morad’s whitepaper.

User Network–to–Amazon VPC Connectivity Options
AWS Managed VPN IPsec VPN connection over the Internet
AWS Direct Connect Dedicated network connection over private lines
AWS Direct Connect + VPN IPsec VPN connection over private lines
AWS VPN CloudHub Connect remote branch offices in a hub-and-spoke model for primary or backup connectivity
Software VPN Software appliance-based VPN connection over the Internet

AWS Managed VPN
This approach enables you to take advantage of an AWS-managed VPN endpoint that includes automated multi–data center redundancy and failover built into the AWS side of the VPN connection. Both dynamic and static routing options are provided to give you flexibility in your routing configuration. Figure 1 illustrates.

Figure 1 - AWS Managed VPN


AWS managed VPN considerations:

  • Although not shown, the Amazon virtual private gateway represents two distinct VPN endpoints, physically located in separate data centers to increase the availability of your VPN connection.
  • Both dynamic and static routing options are provided to give you flexibility in your routing configuration.
  • Dynamic routing leverages Border Gateway Protocol (BGP) peering to exchange routing information between AWS and these remote endpoints.
  • With dynamic routing, you can also specify routing priorities, policies, and weights (metrics) in your BGP advertisements and influence the path between your network(s) and AWS.
  • When using dynamic routing, routes advertised via BGP can be propagated into selected routing tables, making it easier to advertise new routes to AWS.

Software VPN
This option utilizes a software VPN appliance that runs on a single Amazon EC2 instance connecting to your remote network. This option requires that you manage both sides of your Amazon VPC connectivity, including managing the software appliance, configuration, patches, and upgrades.

 

This option is recommended if you must manage both ends of the VPN connection. Considerations:

  • Compliance: You may need to use this approach for compliance and data residency requirements in your hybrid network architecture. IT security and privacy regulations govern specific industries and require your IT infrastructure, including your network, to meet certain government standards.
  • Gateway device support: Customers with gateway devices that are not currently supported by the Amazon managed VPN solution, choose to deploy a Software VPN in order to leverage existing on-premises investments. The list of supported gateway devices is located here.
  • Networking infrastructure solutions in AWS Marketplace: You can easily extend your on-premises networking infrastructure software with pre-configured and customizable AMIs from popular software vendors on AWS Marketplace.

Example of HA Architecture for Software VPN Instances
Creating a fully resilient VPC connection for software VPN instances requires the setup and configuration of multiple VPN instances and a monitoring instance to track the health of the VPN connections.

Figure 3: High-Level HA Design

We recommend configuring your VPC route tables to leverage all VPN instances simultaneously by directing traffic from all of the subnets in one Availability Zone through its respective VPN instances in the same Availability Zone. Each VPN instance will then provide VPN connectivity for instances that share the same Availability Zone. The white paper provides more information and considerations.

By leveraging networking infrastructure solutions from popular vendors such as Brocade and Cisco in AWS Marketplace, you can take full advantage of existing investments in on-premises systems and thecloud to meet your unique business challenges.

-Jim Carroll

China To Outlaw All Unapproved VPN Services

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/0J0Igtp77Z0/

So the latest news from behind the Great Firewall of China is that they plan to crack down on all unapproved VPN services. This means all VPN providers, cloud service providers and ISPs will have to seek an annually renewed licence to operate a VPN Service. Really, not very surprising coming out of China and […]

The post China To Outlaw All…

Read the full post at darknet.org.uk

Researchers Issue Security Warning Over Android VPN Apps

Post Syndicated from Andy original https://torrentfreak.com/researchers-issue-security-warning-over-android-vpn-apps-170125/

warningThere was a time when the Internet was a fairly straightforward place to navigate, with basic software, basic websites and few major security issues. Over the years, however, things have drastically changed.

Many people now spend their entire lives connected to the web in some way, particularly via mobile devices and apps such as Facebook and the countless thousands of others now freely available online.

For some users, the idea of encrypting their traffic has become attractive, from both a security and anti-censorship standpoint. On the one hand people like the idea of private communications and on the other, encryption can enable people to bypass website blocks, wherever they may occur and for whatever reason.

As a result, millions are now turning to premium VPN packages from reputable companies. Others, however, prefer to use the all-in-one options available on Google’s Play store, but according to a new study, that could be a risky strategy.

A study by researchers at CSIRO’s Data 61, University of New South Wales, and UC Berkley, has found that hundreds of VPN apps available from Google Play presented significant security issues including malware, spyware, adware and data leaks.

Very often, users look at the number of downloads combined with the ‘star rating’ of apps to work out whether they’re getting a good product. However, the researchers found that among the 283 apps tested, even the highest ranked and most-downloaded apps can carry nasty surprises.

“While 37% of the analyzed VPN apps have more than 500K installs and 25% of them receive at least a 4-star rating, over 38% of them contain some malware presence according to VirusTotal,” the researchers write.

The five types of malware detected can be broken down as follows: Adware (43%), Trojan (29%), Malvertising (17%), Riskware (6%) and Spyware (5%). The researchers ordered the most problematic apps by VirusTotal AV-Rank, which represents the number of anti-virus tools that identified any malware activity.

The worst offenders, according to the reportvpn-worst

The researchers found that only a marginal number of VPN users raised any security or privacy concerns in the review sections for each app, despite many of them having serious problems. The high number of downloads seem to suggest that users have confidence in them, despite their issues.

“According to the number of installs of these apps, millions of users appear to trust VPN apps despite their potential maliciousness. In fact, the high presence of malware activity in VPN apps that our analysis has revealed is worrisome given the ability that these apps already have to inspect and analyze all user’s traffic with the VPN permission,” the paper reads.

The growing awareness of VPNs and their association with privacy and security has been a hot topic in recent years, but the researchers found that many of the apps available on Google Play offer neither. Instead, they featured tracking of users by third parties while demanding access to sensitive Android permissions.

“Even though 67% of the identified VPN Android apps offer services to enhance online privacy and security, 75% of them use third-party tracking libraries and 82% request permissions to access sensitive resources including user accounts and text messages,” the researchers note.

Even from this low point, things manage to get worse. Many VPN users associate the product they’re using with encryption and the privacy it brings, but for almost one-fifth of apps tested by the researchers, the concept is alien.

“18% of the VPN apps implement tunneling protocols without encryption despite promising online anonymity and security to their users,” they write, adding that 16% of tested apps routed traffic through other users of the same app rather than utilizing dedicated online servers.

“This forwarding model raises a number of trust, security, and privacy concerns for participating users,” the researchers add, noting that only Hola admits to the practice on its website.

And when it comes to the handling of IPv6 traffic, the majority of the apps featured in the study fell short in a dramatic way. Around 84% of the VPN apps tested had IPv6 leaks while 66% had DNS leaks, something the researchers put down to misconfigurations or developer-induced errors.

“Both the lack of strong encryption and traffic leakages can ease online tracking activities performed by inpath middleboxes (e.g., commercial WiFi [Access Points] harvesting user’s data) and by surveillance agencies,” they warn.

While the study (pdf) is detailed, it does not attempt to rank any of the applications tested, other than showing a table of some of the worst offenders. From the perspective of the consumer looking to install a good VPN app, that’s possibly not as helpful as they might like.

Instead, those looking for a VPN will have to carry out their own research online before taking the plunge. Sticking with well-known companies that are transparent about their practices is a great start. And, if an app requests access to sensitive data during the install process for no good reason, get rid of it. Finally, if it’s a free app with a free service included, it’s a fair assumption that strings may be attached.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Netflix VPN Crackdown, A Year of Frustrations

Post Syndicated from Ernesto original https://torrentfreak.com/netflix-vpn-crackdown-a-year-of-frustrations-170120/

netflix-logoIn an move to appease Hollywood’s major studios, last year Netflix increased its efforts to block customers who circumvent geo-blockades.

As a result, it has become harder to use VPN services to access Netflix content from other countries. However, the measures also affect well-intentioned customers who merely use a VPN to protect their privacy.

This broad blocking policy has sparked wide protests and now that 12 months have passed, we take a closer look at where things stand today.

TorrentFreak spoke to several VPN providers who have to deal with the issue on a daily basis. Some are more open about it than others, but the overall consensus is that Netflix went a step too far by placing copyright protection above security.

“In my opinion, no one should have to sacrifice operational security for entertainment,” Torguard‘s Ben Van Pelt tells TorrentFreak.

Private Internet Access (PIA) sees the measures as a violation of pure Net Neutrality, noting the origin of traffic should be irrelevant. The Internet is a location by itself, they believe.

“It is an odd time when one can pay for a service and not be provided said service when not in the ‘correct physical’ geographical location. The Internet is its own jurisdiction,” PIA’s Caleb Chen says.

It is still unclear how Netflix’s IP-blacklisting works. A few providers have noticed that some of their IP-ranges were already banned before they were active, suggesting that Netflix automatically flags IPs from certain organizations.

Also, there’s a strong suspicion that the streaming service keeps track of how many logins there are from a given IP-address. When this hits a threshold, the address is then supposedly added to the blacklist as well.

The question on many people’s minds is; how effective are Netflix’s measures? According to the providers we spoke with, a lot of their shared IP-addresses were blacklisted quickly.

But, when something’s censored on the Internet, people generally try to find ways around it. This is also true for the Netflix VPN block. The Internet is littered with circumvention tips and tricks and some VPN providers are actively advertising that their service still works.

In reality, however, no VPN provider can guarantee that their service works 100% of the time. In most cases, new IP-addresses are swiftly blocked causing a lot of frustration among users.

“The fact that we have to play this game at all is incredibly frustrating. Lots of people sign up because they hear from a friend that LiquidVPN still works and then they cancel because they can’t get it working without asking for help,” Dave Cox from LiquidVPN tells us.

In terms of “help,” providers take a different approach as well. Some VPNs are taking a hands-off approach, but there are some that are willing to find solutions, often behind the scenes.

TorGuard has noticed that if users switch to a dedicated IP-address, which isn’t shared with others, Netflix works just fine. As a result, demand for these plans has increased quite a bit.

“We greatly expanded our Dedicated VPN IP pool and now offer Dedicated IP options in over 55 countries worldwide. This has proven to work flawlessly for users who wish to bypass VPN blockades with geo-restricted streaming services,” Torguard’s Ben Van Pelt says.

LiquidVPN informed us that bypassing the Netflix blocks on devices like phones, smart TVs, and streaming boxes requires technical know-how and is not for everyone. However, they are willing to offer assistance to people who want to access Netflix’s US catalog from a VPN.

Private Internet Access doesn’t offer any specific help but notes that they regularly add new IP-addresses. Although geo-unblocking is not a specific aim, they will do their best to ensure that users have access to an uncensored and unfiltered Internet.

“Private Internet Access will be introducing tens of thousands of fresh IP-addresses into rotation. Additionally, we are working on additional and aggressive new methods to ensure our clients receive a full, uncensored and net neutral Internet experience,” PIA’s Caleb Chen notes.

Then there are also providers who are not really interested in joining the blacklist whack-a-mole. Mullvad, for example, doesn’t support Netflix’s goals but doesn’t plan to actively counter them.

“Netflix and their suppliers are being silly and are stuck in a laughably outdated geographic distribution model. Geoblocking is not one of our main areas though, so if they want to go out of their way to drive away their own customers, we’ll let them,” Mullvad’s Daniel Berntsson says.

Lastly, there’s the Fight Club treatment ExpressVPN adheres to, avoiding public discussions on the topics wherever possible.

“To draw on the famous quote from the movie Fight Club, the first rule of Netflix is: do not talk about Netflix,” says David Lang, ExpressVPN’s Communications Manager.

While it’s impossible to draw any uniform conclusions, our general sense is that Netflix succeeded at making it very hard for casual VPN users to bypass geo-blockades.

Those who put some effort into it can probably find a way to access foreign Netflix catalogs, but even then it remains unclear how long these circumvention options will hold.

Disclaimer: PIA and ExpressVPN are TorrentFreak sponsors.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.